Hi,
I'm in the early stages of analysing this problem:
- Tomcat Embedded 9.0.37 with clustering enabled
- SpringBoot application, 2.1.16
- Login with no existing JSESSIONID fails
I can see the following code is executed twice within one request, the
login attempt:
*~/.m2/repository/org/apache/tomcat/tomcat-catalina/9.0.37/tomcat-catalina-9.0.37-sources.jar!/org/apache/catalina/session/ManagerBase.java:677*
public void add(Session session) {
sessions.put(session.getIdInternal(), session);
The first time it's executed, the session with the Spring context is added.
The second time it's executed, a second session with the same ID, but
without the Spring context, or any other session attribute I add for that
matter, overwrites the existing session, and login fails. If I debug and
prevent this by renaming the second session ID, login works because the
original session is preserved.
The stack-trace for the first call is shown below:
add:678, ManagerBase (org.apache.catalina.session)
setId:358, StandardSession (org.apache.catalina.session)
setId:327, DeltaSession (org.apache.catalina.ha.session)
setId:345, DeltaSession (org.apache.catalina.ha.session)
createSession:719, ManagerBase (org.apache.catalina.session)
createSession:422, DeltaManager (org.apache.catalina.ha.session)
createSession:410, DeltaManager (org.apache.catalina.ha.session)
doGetSession:3043, Request (org.apache.catalina.connector)
getSession:2441, Request (org.apache.catalina.connector)
getSession:908, RequestFacade (org.apache.catalina.connector)
getSession:920, RequestFacade (org.apache.catalina.connector)
getSession:253, HttpServletRequestWrapper (javax.servlet.http)
getSession:253, HttpServletRequestWrapper (javax.servlet.http)
getSession:253, HttpServletRequestWrapper (javax.servlet.http)
onAuthentication:66, RegisterSessionAuthenticationStrategy
(org.springframework.security.web.authentication.session)
doFilter:218, AbstractAuthenticationProcessingFilter
(org.springframework.security.web.authentication)
doFilter:334, FilterChainProxy$VirtualFilterChain
(org.springframework.security.web)
doFilter:200, AbstractAuthenticationProcessingFilter
(org.springframework.security.web.authentication)
doFilter:334, FilterChainProxy$VirtualFilterChain
(org.springframework.security.web)
doFilter:116, LogoutFilter
(org.springframework.security.web.authentication.logout)
doFilter:334, FilterChainProxy$VirtualFilterChain
(org.springframework.security.web)
doFilterInternal:74, HeaderWriterFilter
(org.springframework.security.web.header)
doFilter:119, OncePerRequestFilter (org.springframework.web.filter)
doFilter:334, FilterChainProxy$VirtualFilterChain
(org.springframework.security.web)
doFilter:74, CSRFSameOriginHeaderCheckFilter (ourcompany.common.web)
doFilter:334, FilterChainProxy$VirtualFilterChain
(org.springframework.security.web)
doFilter:36, SessionTrackingFilter (ourcompany.common.web)
doFilter:334, FilterChainProxy$VirtualFilterChain
(org.springframework.security.web)
doFilter:105, SecurityContextPersistenceFilter
(org.springframework.security.web.context)
doFilter:334, FilterChainProxy$VirtualFilterChain
(org.springframework.security.web)
doFilterInternal:56, WebAsyncManagerIntegrationFilter
(org.springframework.security.web.context.request.async)
doFilter:119, OncePerRequestFilter (org.springframework.web.filter)
doFilter:334, FilterChainProxy$VirtualFilterChain
(org.springframework.security.web)
doFilter:157, ChannelProcessingFilter
(org.springframework.security.web.access.channel)
doFilter:334, FilterChainProxy$VirtualFilterChain
(org.springframework.security.web)
doFilter:87, MetadataGeneratorFilter
(org.springframework.security.saml.metadata)
doFilter:334, FilterChainProxy$VirtualFilterChain
(org.springframework.security.web)
doFilterInternal:215, FilterChainProxy (org.springframework.security.web)
doFilter:178, FilterChainProxy (org.springframework.security.web)
invokeDelegate:358, DelegatingFilterProxy (org.springframework.web.filter)
doFilter:271, DelegatingFilterProxy (org.springframework.web.filter)
internalDoFilter:193, ApplicationFilterChain (org.apache.catalina.core)
doFilter:166, ApplicationFilterChain (org.apache.catalina.core)
invoke:202, StandardWrapperValve (org.apache.catalina.core)
__invoke:96, StandardContextValve (org.apache.catalina.core)
invoke:41002, StandardContextValve (org.apache.catalina.core)
invoke:541, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:139, StandardHostValve (org.apache.catalina.core)
invoke:182, JvmRouteBinderValve (org.apache.catalina.ha.session)
invoke:330, ReplicationValve (org.apache.catalina.ha.tcp)
invoke:92, ErrorReportValve (org.apache.catalina.valves)
invoke:74, StandardEngineValve (org.apache.catalina.core)
invoke:747, RemoteIpValve (org.apache.catalina.valves)
service:343, CoyoteAdapter (org.apache.catalina.connector)
service:373, Http11Processor (org.apache.coyote.http11)
process:65, AbstractProcessorLight (org.apache.coyote)
process:868, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1589, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
runWorker:1149, ThreadPoolExecutor (java.util.concurrent)
run:624, ThreadPoolExecutor$Worker (java.util.concurrent)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:748, Thread (java.lang)
The stack-trace for the second call is shown below:
add:678, ManagerBase (org.apache.catalina.session)
setId:358, StandardSession (org.apache.catalina.session)
setId:327, DeltaSession (org.apache.catalina.ha.session)
handleSESSION_CREATED:1322, DeltaManager (org.apache.catalina.ha.session)
messageReceived:1192, DeltaManager (org.apache.catalina.ha.session)
messageDataReceived:949, DeltaManager (org.apache.catalina.ha.session)
messageReceived:77, ClusterSessionListener (org.apache.catalina.ha.session)
messageReceived:788, SimpleTcpCluster (org.apache.catalina.ha.tcp)
messageReceived:771, SimpleTcpCluster (org.apache.catalina.ha.tcp)
messageReceived:335, GroupChannel (org.apache.catalina.tribes.group)
messageReceived:91, ChannelInterceptorBase (org.apache.catalina.tribes.group)
messageReceived:97, StaticMembershipInterceptor
(org.apache.catalina.tribes.group.interceptors)
messageReceived:91, ChannelInterceptorBase (org.apache.catalina.tribes.group)
messageReceived:175, TcpPingInterceptor
(org.apache.catalina.tribes.group.interceptors)
messageReceived:91, ChannelInterceptorBase (org.apache.catalina.tribes.group)
messageReceived:117, TcpFailureDetector
(org.apache.catalina.tribes.group.interceptors)
messageReceived:91, ChannelInterceptorBase (org.apache.catalina.tribes.group)
messageReceived:91, ChannelInterceptorBase (org.apache.catalina.tribes.group)
messageReceived:274, ChannelCoordinator (org.apache.catalina.tribes.group)
messageDataReceived:261, ReceiverBase (org.apache.catalina.tribes.transport)
drainChannel:216, NioReplicationTask (org.apache.catalina.tribes.transport.nio)
run:101, NioReplicationTask (org.apache.catalina.tribes.transport.nio)
runWorker:1149, ThreadPoolExecutor (java.util.concurrent)
run:624, ThreadPoolExecutor$Worker (java.util.concurrent)
run:748, Thread (java.lang)
Any help would be appreciated. I can replicate this every time and spend
some time investigating this.
Cheers,
Tim
